Full details of the Automattic Security Policy can be found on automattic.com/security.
For responsible disclosure of security issues and to be eligible for our bug bounty program, please submit your report based on instructions found on automattic.com/security.
We're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these guidelines:
- Follow HackerOne's disclosure guidelines.
- Pen-testing Production:
- Please setup a local environment instead whenever possible. Most of our code is open source (see above).
- If that's not possible, limit any data access/modification to the bare minimum necessary to reproduce a PoC.
- Don't automate form submissions! That's very annoying for us, because it adds extra work for the volunteers who manage those systems, and reduces the signal/noise ratio in our communication channels.
- To be eligible for a bounty, please follow all of these guidelines.
- Be Patient - Give us a reasonable time to correct the issue before you disclose the vulnerability.
We also expect you to comply with all applicable laws. You're responsible to pay any taxes associated with your bounties.